Video calling platform Zoom is boosting its security profile via the acquisition of a small startup called Keybase. The 25-person, New York-based company will provide more robust encryption for Zoom calls on paid subscriptions by implementing an end-to-end architecture.
“Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees,” Zoom CEO Eric Yuan explained in a Thursday blog post. “An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees.”
Critically, the encryption key for the calls will not be kept on Zoom’s servers, as they are today. In Zoom’s existing approach, content is encrypted using industry-standard AES-GCM with 256-bit keys, and decrypted at the other end of the session call, Yuan explained. The encryption keys for each meeting are generated by Zoom’s servers.
With Keybase implemented, those keys will be under the control of the host.
“The host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting,” Yuan said. “We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.”
The hope is that the move will help prevent the kinds of “Zoombombing” and other attacks that have plagued the platform, as well as address privacy concerns about the platform sharing data with other companies.
As it has ramped up to 300 million subscribers during the pandemic-sparked work-from-home phenomenon, Zoom has suffered a legion of bad headlines on both fronts. For instance, Zoom’s current state of encryption is at the heart of a class-action lawsuit that alleges that Zoom only uses encryption for the transport link, thus allowing the service to still access data.
“Zoom’s acquisition of the Keybase team allows it to lay the foundation for what’s known as end-to-end encryption within their platform,” said Tim Mackey, principal security strategist at Synopsys CyRC, via email. “For normal users, the addition of end-to-end encryption should be viewed as enhancing the overall security of their meetings. With recent examples of inappropriate accesses to meetings on the conferencing platforms, this end-to-end encryption helps ensure that any potential for a meeting to be intercepted or for someone to otherwise ‘hack’ into a meeting are minimized.”
Users with paid subscriptions will be able to opt into the feature – but there will be a tradeoff in functionality. Opting in means that calling in by phone for the audio portion of the call, and cloud-based recording of Zoom sessions, will both be disabled.
“Once implemented, these changes won’t come without some disruption to existing users who many currently access their meetings with devices that are incapable of supporting Zoom’s end-to-end encryption protocols,” Mackey said. “I would expect Zoom to address any shortcomings with these devices within their vendor ecosystem, so the impact to most users should be minimal.”
As for the timeline, it could take a few months for full rollout. In a first step, Zoom plans to publish full details of the Keybase cryptographic draft design on Friday, May 22.
Keybase, founded in 2014, has raised a $10.8 million so far, thanks to a 2015 financing round led by Andreessen Horowitz. Terms of the Zoom deal were not released.
The acquisition is the latest move by the company to face its security issues. Yuan put in a place a 90-day plan on April 1; the steps taken so far include installing ex-Facebook CISO Alex Stamos as an outside consultant, and establishing a “CISO Council,” which includes executives from HSBC, NTT Data, Procore and Ellie Mae, as well as an advisory board of security leaders from companies such as VMWare, Netflix and Uber.
Zoom recently had to kill a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a Motherboard report disclosed that the transferred information included data on when a user opened the app, a user’s time zone, device OS, device model and carrier, screen size, processor cores and disk space.The company eliminated a feature called LinkedIn Sales Navigator that came under fire for “undisclosed data mining” of users’ names and email addresses, which the service used to match them with their LinkedIn profiles.
Meanwhile, it has also made a key tweak to its Zoom client to mitigate the Zoombombing attacks by threat actors that have surfaced during the surge in use.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.